mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 08:28:52 +00:00
156 lines
6.2 KiB
Go
156 lines
6.2 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/mock"
|
|
"github.com/fleetdm/fleet/v4/server/ptr"
|
|
"github.com/fleetdm/fleet/v4/server/test"
|
|
"github.com/jmoiron/sqlx"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestSoftwareInstallersAuth(t *testing.T) {
|
|
ds := new(mock.Store)
|
|
|
|
license := &fleet.LicenseInfo{Tier: fleet.TierPremium, Expiration: time.Now().Add(24 * time.Hour)}
|
|
|
|
svc, ctx := newTestService(t, ds, nil, nil, &TestServerOpts{License: license})
|
|
|
|
testCases := []struct {
|
|
name string
|
|
user *fleet.User
|
|
teamID *uint
|
|
shouldFailRead bool
|
|
shouldFailWrite bool
|
|
}{
|
|
{"no role no team", test.UserNoRoles, nil, true, true},
|
|
{"no role team 0", test.UserNoRoles, ptr.Uint(0), true, true},
|
|
{"no role team", test.UserNoRoles, ptr.Uint(1), true, true},
|
|
{"global admin no team", test.UserAdmin, nil, false, false},
|
|
{"global admin team 0", test.UserAdmin, ptr.Uint(0), false, false},
|
|
{"global admin team", test.UserAdmin, ptr.Uint(1), false, false},
|
|
{"global maintainer no team", test.UserMaintainer, nil, false, false},
|
|
{"global mainteiner team 0", test.UserMaintainer, ptr.Uint(0), false, false},
|
|
{"global maintainer team", test.UserMaintainer, ptr.Uint(1), false, false},
|
|
{"global observer no team", test.UserObserver, nil, true, true},
|
|
{"global observer team 0", test.UserObserver, ptr.Uint(0), true, true},
|
|
{"global observer team", test.UserObserver, ptr.Uint(1), true, true},
|
|
{"global observer+ no team", test.UserObserverPlus, nil, true, true},
|
|
{"global observer+ team 0", test.UserObserverPlus, ptr.Uint(0), true, true},
|
|
{"global observer+ team", test.UserObserverPlus, ptr.Uint(1), true, true},
|
|
{"global gitops no team", test.UserGitOps, nil, true, false},
|
|
{"global gitops team 0", test.UserGitOps, ptr.Uint(0), true, false},
|
|
{"global gitops team", test.UserGitOps, ptr.Uint(1), true, false},
|
|
{"team admin no team", test.UserTeamAdminTeam1, nil, true, true},
|
|
{"team admin team 0", test.UserTeamAdminTeam1, ptr.Uint(0), true, true},
|
|
{"team admin team", test.UserTeamAdminTeam1, ptr.Uint(1), false, false},
|
|
{"team admin other team", test.UserTeamAdminTeam2, ptr.Uint(1), true, true},
|
|
{"team maintainer no team", test.UserTeamMaintainerTeam1, nil, true, true},
|
|
{"team maintainer team 0", test.UserTeamMaintainerTeam1, ptr.Uint(0), true, true},
|
|
{"team maintainer team", test.UserTeamMaintainerTeam1, ptr.Uint(1), false, false},
|
|
{"team maintainer other team", test.UserTeamMaintainerTeam2, ptr.Uint(1), true, true},
|
|
{"team observer no team", test.UserTeamObserverTeam1, nil, true, true},
|
|
{"team observer team 0", test.UserTeamObserverTeam1, ptr.Uint(0), true, true},
|
|
{"team observer team", test.UserTeamObserverTeam1, ptr.Uint(1), true, true},
|
|
{"team observer other team", test.UserTeamObserverTeam2, ptr.Uint(1), true, true},
|
|
{"team observer+ no team", test.UserTeamObserverPlusTeam1, nil, true, true},
|
|
{"team observer+ team 0", test.UserTeamObserverPlusTeam1, ptr.Uint(0), true, true},
|
|
{"team observer+ team", test.UserTeamObserverPlusTeam1, ptr.Uint(1), true, true},
|
|
{"team observer+ other team", test.UserTeamObserverPlusTeam2, ptr.Uint(1), true, true},
|
|
{"team gitops no team", test.UserTeamGitOpsTeam1, nil, true, true},
|
|
{"team gitops team 0", test.UserTeamGitOpsTeam1, ptr.Uint(0), true, true},
|
|
{"team gitops team", test.UserTeamGitOpsTeam1, ptr.Uint(1), true, false},
|
|
{"team gitops other team", test.UserTeamGitOpsTeam2, ptr.Uint(1), true, true},
|
|
}
|
|
|
|
for _, tt := range testCases {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
ctx := viewer.NewContext(ctx, viewer.Viewer{User: tt.user})
|
|
|
|
ds.GetSoftwareInstallerMetadataByTeamAndTitleIDFunc = func(ctx context.Context, teamID *uint, titleID uint, withScripts bool) (*fleet.SoftwareInstaller, error) {
|
|
return &fleet.SoftwareInstaller{TeamID: tt.teamID}, nil
|
|
}
|
|
|
|
ds.DeleteSoftwareInstallerFunc = func(ctx context.Context, installerID uint) error {
|
|
return nil
|
|
}
|
|
|
|
tokenExpiration := time.Now().Add(24 * time.Hour)
|
|
token, err := test.CreateVPPTokenEncoded(tokenExpiration, "fleet", "ca")
|
|
require.NoError(t, err)
|
|
ds.GetVPPTokenByTeamIDFunc = func(ctx context.Context, teamID *uint) (*fleet.VPPTokenDB, error) {
|
|
return &fleet.VPPTokenDB{
|
|
ID: 1,
|
|
OrgName: "Fleet",
|
|
Location: "Earth",
|
|
RenewDate: tokenExpiration,
|
|
Token: string(token),
|
|
Teams: nil,
|
|
}, nil
|
|
}
|
|
|
|
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
|
|
return &fleet.AppConfig{}, nil
|
|
}
|
|
ds.NewActivityFunc = func(
|
|
ctx context.Context, user *fleet.User, activity fleet.ActivityDetails, details []byte, createdAt time.Time,
|
|
) error {
|
|
return nil
|
|
}
|
|
|
|
ds.TeamFunc = func(ctx context.Context, tid uint) (*fleet.Team, error) {
|
|
if tt.teamID != nil {
|
|
return &fleet.Team{ID: *tt.teamID}, nil
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
ds.TeamExistsFunc = func(ctx context.Context, teamID uint) (bool, error) {
|
|
return false, nil
|
|
}
|
|
|
|
ds.GetAllMDMConfigAssetsByNameFunc = func(ctx context.Context, assetNames []fleet.MDMAssetName,
|
|
_ sqlx.QueryerContext) (map[fleet.MDMAssetName]fleet.MDMConfigAsset, error) {
|
|
return map[fleet.MDMAssetName]fleet.MDMConfigAsset{}, nil
|
|
}
|
|
|
|
_, err = svc.DownloadSoftwareInstaller(ctx, false, "media", 1, tt.teamID)
|
|
if tt.teamID == nil {
|
|
require.Error(t, err)
|
|
} else {
|
|
checkAuthErr(t, tt.shouldFailRead, err)
|
|
}
|
|
|
|
err = svc.DeleteSoftwareInstaller(ctx, 1, tt.teamID)
|
|
if tt.teamID == nil {
|
|
require.Error(t, err)
|
|
} else {
|
|
checkAuthErr(t, tt.shouldFailWrite, err)
|
|
}
|
|
|
|
// Note: these calls always return an error because they're attempting to unmarshal a
|
|
// non-existent VPP token.
|
|
_, err = svc.GetAppStoreApps(ctx, tt.teamID)
|
|
if tt.teamID == nil {
|
|
require.Error(t, err)
|
|
} else if tt.shouldFailRead {
|
|
checkAuthErr(t, true, err)
|
|
}
|
|
|
|
err = svc.AddAppStoreApp(ctx, tt.teamID, fleet.VPPAppTeam{VPPAppID: fleet.VPPAppID{AdamID: "123", Platform: fleet.IOSPlatform}})
|
|
if tt.teamID == nil {
|
|
require.Error(t, err)
|
|
} else if tt.shouldFailWrite {
|
|
checkAuthErr(t, true, err)
|
|
}
|
|
|
|
// TODO: configure test with mock software installer store and add tests to check upload auth
|
|
})
|
|
}
|
|
}
|